KryptoCibule spreads via pirated software and game torrents.
A previously undocumented malware family called KryptoCibule is mounting a three-pronged cryptocurrency-related attack, while also deploying remote-access trojan (RAT) functionality to establish backdoors to its victims.
According to researchers at ESET, the malware has been seen targeting victims mainly in the Czech Republic and Slovakia, by way of infected pirate content and software torrents.
“KryptoCibule is spread through malicious torrents for ZIP files whose contents masquerade as installers for cracked or pirated software and games,” according to ESET researchers, writing in an analysis on Wednesday. “Almost all the malicious torrents were available on uloz.to; a popular file-sharing site in Czechia and Slovakia.”
They added that KryptoCibule – which derives from the Czech and Slovak words for “crypto” and “onion” – is also notable because of its use of legitimate software and platforms, including the Tor network (hence the “onion” part of the name) and the BitTorrent protocol; the Transmission torrent client; Apache httpd; and the Buru SFTP server.
Looking at timestamps in the various versions of KryptoCibule that ESET has identified, the malware dates from December 2018, researchers said.
A Triple Crypto-Threat
KryptoCibule’s goals are threefold on the cryptocurrency front: It surreptitiously mines Monero and Ethereum on compromised machines, but also can hijack transactions by replacing wallet addresses in the clipboard, and it can steal cryptocurrency-related files.
According to ESET, the latest versions of KryptoCibule use XMRig, an open-source program that mines Monero using the CPU, and kawpowminer, another open-source program that mines Ethereum using the GPU (the latter kicks into action only if a GPU is detected on the host). Both connect to an operator-controlled mining server over a Tor proxy.
“On every iteration of the main loop, the malware checks the battery level and the time since the last user input,” according to the analysis. “It then starts or stops the miner processes based on this information. If the host has received no user input in the last three minutes and has at least 30 percent battery, both the GPU and CPU miners are run without limits. Otherwise, the GPU miner is suspended, and the CPU miner is limited to one thread. If the battery level is under 10 percent, both miners are stopped. This is done to reduce the likelihood of being noticed by the victim.”
#data analysis
